Privacy-Friendly Eurovision Voting

Meilof Veeningen (TU/e: Eindhoven University of Technology)

Joint work with: Niels de Vreede (TU/e), Thomas Toft (Aarhus)

Motivation: Eurovision Song Contest

Next Saturday in Copenhagen

Contest between songs from 26 European countries, held since 1956 People from each country vote for the winner

Top-10 countries: 1,2,3,4,5,6,7,8,10,12 points 50% televoting/SMS; 50% “professional jury” Can’t vote for own country Most points win (today: ignore ties)

2008: Russia (Dima Bilan) Meilof Veeningen: Privacy-Friendly Eurovision Voting

Motivation: Eurovision Voting

country1. votes: 1,2,3,4,5,6,7,8,10,12 to … presenter

2.showresults

general publicProblems: - takes ages - countries learn each other’s votes!

2009: Norway (Alexander Rybak) Meilof Veeningen: Privacy-Friendly Eurovision Voting

Eurovision Voting: Requirements

We need a procedure for counting Eurovision votes:

(Performance I) Can be performed within 1.5 hours (Correctness) Anybody can verify the result and correctness of voter’s

inputs (no self-votes, votes 1,2,3,4,5,6,7,8,10,12 to different countries) (Privacy) Don’t know what individial countries voted (Performance II) Needs to be ready before Saturday

Existing solutions: everything except privacy Although we may improve performance in the process…

2010: Germany (Lena) Meilof Veeningen: Privacy-Friendly Eurovision Voting

Eurovision Voting: Our Solution (I)

Need to have a simple solution that is not a lot of work to program SCAPI: offers Damgard-Jurik (Pallier) encryption, (non-interactive) zero

knowledge proofs of encrypted value; AND and OR composition Idea: use MPC based on threshold homomorphic encryption [CDN01] w/Fiat-

Shamir Broadcast threshold homomorphic encryptions of votes Add votes, perform threshold decryption Prove correct voting by countries, correct decryption of output For correct voting, ZK proof of (e.g., for n=3):

(E1->1 OR E2->1 OR E3->1) AND (E1->2 OR E2->2 OR E3->2) AND (E1->3 OR E2->3 OR E3->3)

Multiple zero votes: encode as 0,1,2,3,…,15; encode real votes as 1000,2000,3000,…

2011: Azerbaijan (Ell/Nikki)

Eurovision Voting: Our Solution (II)

country{E_pk(v1),…, E_pk(vn),NIZKPOCV}presenter i

{{E_pk(v1),…,E_pk(vn),NIZKPOCV}_i, dv1,…,dvn,NIZKPOCDs}

general public

This satisfies correctness and privacy (with random oracle, trusted key setup)!

(pk) (threshold sk)

(pk)

2012: Loreen (Sweden)

Demo

Demo

Performance (I)

Can proofs be produced and transmitted within Europe in 1.5 hours?

2013: Denmark (Emmelie de Forest) Meilof Veeningen: Privacy-Friendly Eurovision Voting

10

1

2

3

4

5

6Proof time (s)

260

20000

40000

60000

80000

100000

120000

Proof size (b)

Conclusion & Performance II & Future Work Solution based on SCAPI: ~500 lines of code for proving correctness

of votes

Satisfies Correctness, Privacy, Performance I Performance II (“ready before Saturday”)? Kind of…

Future work: What happens with a tie? Preliminary round: only determine finalists Making the Netherlands win with kleptography?

2014: ? Meilof Veeningen: Privacy-Friendly Eurovision Voting